From dbea144f7249f9c244e748ac972fd86a54ee2086 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Sat, 7 Sep 2019 15:17:10 -0400 Subject: [PATCH] add ipv6 support --- client-cert-helper | 2 ++ vpn-mk-client-cert | 5 ++--- vpn-server-setup | 20 +++++++++++++++++++- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/client-cert-helper b/client-cert-helper index aedc4cd..f5b35ac 100755 --- a/client-cert-helper +++ b/client-cert-helper @@ -1,6 +1,8 @@ #!/bin/bash set -eE -o pipefail +# Outputs the keyfiles to stdout as tar.gz + rm -f /tmp/vpn-mk-client-cert.log exec 2>/tmp/vpn-mk-client-cert.log diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert index b094c92..f4e5762 100755 --- a/vpn-mk-client-cert +++ b/vpn-mk-client-cert @@ -35,8 +35,8 @@ usage: ${0##*/} VPN_SERVER_HOST the generator keeps track, so you can't generate. -c CLIENT_HOST default is localhost. Else we ssh to root@CLIENT_HOST -n CONFIG_NAME default is client --s SCRIPT_PATH Use custom up/down script at PATH, copied to same path - on client. +-s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. copied to same path + on client, if client is not localhost. Generate a client cert and config and install it on locally or on CLIENT_HOST if given. Uses default config options, and expects be able @@ -136,7 +136,6 @@ down "$script" # matching server config cipher AES-256-CBC - # example config has the commented line, but this other thing looks stronger, # and I've seen it in a vpn provider I trust # ns-cert-type server diff --git a/vpn-server-setup b/vpn-server-setup index ded2a78..30080d4 100755 --- a/vpn-server-setup +++ b/vpn-server-setup @@ -21,7 +21,7 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR usage() { cat <<'EOF' -usage: ${0##*/} [-d|-h|--help] +usage: ${0##*/} [-d|-h|--help] [IPV6_ADDR/BITS IPV6_DEFAULT_ROUTE] -r Do not push default route -d Do not push dns @@ -32,6 +32,8 @@ Sets up a vpn server which pushes gateway route and dns server so all traffic goes through the vpn. requires systemd, and might have some debian specific paths. +For ipv6, we assume ipv6_addr routes to the server. + You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and the script will not generate them if it sees they exist already. @@ -56,6 +58,9 @@ while true; do esac done +read -r ip6 ip6route <<<"$@" + + apt-get update # suggests get's us openssl. policy-rc.d is to prevent install from starting services f=/usr/sbin/policy-rc.d; @@ -184,11 +189,24 @@ push "dhcp-option DNS 10.8.0.1" EOF fi +if $ip6; then + cat >>$server_dir/server.conf <>$server_dir/server.conf <<'EOF' # Be the default gateway for clients. push "redirect-gateway def1" EOF + if $ip6; then + cat >>$server_dir/server.conf <<'EOF' +push "route-ipv6 2000::/3" +EOF + fi fi sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf -- 2.30.2